A remote code execution vulnerability has been discovered in the PAN-OS. The vulnerability has been assigned CVE-2017-15944. By exploiting this vulnerability an attacker can achieve arbitrary code execution in root context. The target is the web based management interface provided by the device for configuration and maintenance. The vulnerable versions are PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6. Palo Alto has addressed this vulnerability in PAN-SA-2017-0027
Exploitation
Code execution is achieved by chaining 3 separate bugs in the OS. Each bug affecting different aspects of the management interface.
Partial Authentication Bypass:
The config file for web management interface /etc/appweb3/conf/common.conf
enforces an authentication filter for almost all sub-directories. The requests are authenticated based on the session cookie. The PHP session is described as serialized data whose format is var_name|s:string length:"string value"; var_name|s:string length:"string value";.....
Where var_name
can be set to various properties like locale, user, dloc
etc. We are interested in user
and dloc
The function openAuthFilter
is used to authenticate the cookie . openAuthFilter
calls readSessionVarsFromFile
to extract the values for variables user
and dloc
. readSessionVarsFromFile
uses a custom parser instead of PHP functions designed to read serialized data. This parser is not implemented properly and can be corrupted. We can target this bug via custom GET request to /esp/cms_changeDeviceContext.esp.
/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337"
An attacker can introduce a value into the session file which contains “;
. An XML request is generated using this value and forwarded to the back-end. The extra ;
causes the parser to fail but panCheckSessionExpired()
still assumes that authentication has succeeded.
Arbitrary Directory Creation
/php/utils/router.php handles API requests, It exposes the PHP classes over HTTP POST/JSON and calls get
method defined in /php/device/Administrator.php
to handle the incoming JSON requests. get fails to sanitize jsonArgs->id
parameter and appends it to an XML request which is sent to and parsed by pan_cfg_req_ctxt_construct()
. a regular request looks like:
<request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']" cookie="12312312312"/>
After parsing the request it will create a temporary file in the parent directory /opt/pancfg/session/pan/user_tmp/<cookie value>/<jobid>.xml based on the obj
parameter of the request. We can inject our own value in to obj
. <cookie value>
is user controlled. By setting the appropriate cookie value we can launch a directory traversal attack to create a directory anywhere.
Command Injection
The cron script /usr/local/bin/genindex_batch.sh executes every 15 minutes, it executes /usr/local/bin/genindex.sh to index the database files in /opt/pancfg/mgmt/logdb/. There is command-line injection vulnerability in the way it processes the file names. With the right file name we can get it to execute arbitrary system commands.
Summing it up
We can use the directory traversal attack to create a directory under /opt/pancfg/mgmt/logdb/ . The name of the directory is set in a way such that, When /usr/local/bin/genindex.sh reads the file name it will execute the command under root context.
Mitigation
Please apply the latest patches as directed by PAN-SA-2017-0027. The vulnerability has been fixed in versions PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6. Scan your network using QID 38698 to detect vulnerable targets. The QID looks for the vulnerable version of PAN-OS via XML API.
Please continue to follow Qualys Threat Protection for information on various vulnerabilities.
References
CVE-2017-15944
CVE-2017-15944: Palo Alto Networks firewalls remote root code execution
PAN-OS Security Advisory